'Rapport' Security

hpuse

joe134 wrote: »

Hi, HSBC, only ask for DOB+certain numbers of 6 digit pin.which to my knowledge cannot be changed without phoning them, DOB is unchangable ,I have asked for more secure login details to no avail.You do not even enter the IB number on a secure site.so all I rely on is DOB+ 6 digit pin, really it,s only the pin number that they need, DOB can be obtained using various means.Not even letters in pin.Hardly secure is it? If anyone knows different I for one would like to know.Rapport on reading it offers a panacea to logging in,especially key loggers, but , as this site proves, it,s only another hurdle, and a problematic one for the likes of me, et al, if it corrupts my system up.

In my view, HSBC-UK is trying to cover the "big hole" in their security/authentication framework for IB transactions with this infamous piece of software rather than engineering and implementing new measures.
It is now a days so easy to obtain date of birth of a person (for e.g. company house files, council, GPs etc etc) and rest you need are just 3 digits to unlock all accounts grouped at one place. Very very fragile security in my opinion and they got it fundementally wrong at the first place. For e.g, IB system wouldn't even ask for authentation when making a bank-to-bank account transfer to anyone registered new.

Now coming to this software, it’s not a security enhancing software it is more like we have a hole, and we trying to fill it-with-vacuum type of thing. I do not see how a browser plug-in or DLL would give that added security without bringing new measures in. At least first direct is bit better!

oldfella

ethereal wrote: »

I may have got it wrong, but from what I can gather, Rapport is a plug-in for your browser, so if you had Firefox 3.5 which comes with Anti-Malware and Anti-Phishing additions anyway, then why add Rapport to it? :undecided

it is not just anti-malware, the objective is to keep you safe from any pre-existing key-loggers on your machine

david78

KingL wrote: »

Also, I haven't checked recently, but if I remember correctly, if you keep any written record of your HSBC login credentials (e.g. in Keypass, Egg moneymanager etc) it is a direct infringement of your HSBC terms and conditions.
,

How would they know with keepass, unless you tell them.:think:

Actually I think its perfectly ok to use encryption software. After all this is what HTTPS does.

gt94sss2

hpuse wrote: »

In my view, HSBC-UK is trying to cover the "big hole" in their security/authentication framework for IB transactions with this infamous piece of software rather than engineering and implementing new measures.
It is now a days so easy to obtain date of birth of a person (for e.g. company house files, council, GPs etc etc) and rest you need are just 3 digits to unlock all accounts grouped at one place. Very very fragile security in my opinion and they got it fundementally wrong at the first place. For e.g, IB system wouldn't even ask for authentation when making a bank-to-bank account transfer to anyone registered new.

My understanding is that HSBC suffer the lowest levels of internet banking fraud in the UK compared to the other big banks - so obviously whatever they do seems to work.

I believe HSBC have much more in the way of back end technology/checks that you don't see than other banks..

Regards
Sunil

hpuse

gt94sss2 wrote: »

My understanding is that HSBC suffer the lowest levels of internet banking fraud in the UK compared to the other big banks - so obviously whatever they do seems to work.

I believe HSBC have much more in the way of back end technology/checks that you don't see than other banks..

Regards
Sunil

Not sure where that understanding came from, as far as I am aware there is no official data in the public domain yet that gives number of frauds committed per bank.
HSBC-UK suffers from a 'legacy issue' because they were the first bank to have internet banking introduced keeping it inline with their phone banking system. Ever since then, their authentication framework lacks that extra 'proofing layer' for web channel that is mostly found in other internet based banking systems.
In my opinion, using Trusteer will not provide that proofing to them or to their customers becuase data stealing or 'brute-force' fraud still easily be committed. As I mentioned in my previous post, all you need is 3 digits and technically speaking, probability of getting this right is only 1 in around 800 (hope I got my maths right). Just multiply the same with the no: of customer accounts they have, you will know what I mean. Hence HSBC would stand top in the list if you base your understanding purely on science, rather statistics

oldfella

In my opinion, using Trusteer will not provide that proofing to them or to their customers

---

the only benefit in connectivity is checking the IP address is correct. Prime benefit is in reducing interference with the client desktop

gt94sss2

hpuse wrote: »

Not sure where that understanding came from, as far as I am aware there is no official data in the public domain yet that gives number of frauds committed per bank.

I'm sure I have previously seen a web page showing how much the big banks lost (by value) due to internet banking - with HSBC being the lowest of the big UK banks but can't find the link atm.

HSBC-UK suffers from a 'legacy issue' because they were the first bank to have internet banking introduced keeping it inline with their phone banking system. Ever since then, their authentication framework lacks that extra 'proofing layer' for web channel that is mostly found in other internet based banking systems.

I don't see why legacy issues should affect HSBC UK as I believe that most of HSBCs web sites around the world now operate on the same platform (i.e. they share similar code) as part of their 'One HSBC' programme and in the past they have changed the internet banking login process in some other countries (Egypt seems to be a good example)

In my opinion, using Trusteer will not provide that proofing to them or to their customers becuase data stealing or 'brute-force' fraud still easily be committed. As I mentioned in my previous post, all you need is 3 digits and technically speaking, probability of getting this right is only 1 in around 800 (hope I got my maths right). Just multiply the same with the no: of customer accounts they have, you will know what I mean.

I think it might be 1 in a 1000 - and that HSBC will block access to an account if the wrong combination is put in 3 times + there is no easy way (I think) of finding out someone's IB number in the first place.. Also, some transactions now have two factor authentication and they monitor all transactions (regardless of if they are online, in person or by telephone) to spot odd patterns..

However, I agree that the Trusteer software is mainly to prevent phishing and check IP addresses - by those users who don't know how to check security certificates for themselves..

Regards
Sunil

hpuse

I'm sure I have previously seen a web page showing how much the big banks lost (by value) due to internet banking - with HSBC being the lowest of the big UK banks but can't find the link atm.

If you sure, then you should be sure of furnishing the same. Trust me, these type of information is never let out to public domain per bank. Also note, banking frauds are to be treated different from online frauds. Online frauds are mainly (atleast 80%) done on personal accounts.

I think it might be 1 in a 1000 - and that HSBC will block access to an account if the wrong combination is put in 3 times + there is no easy way (I think) of finding out someone's IB number in the first place.. Also, some transactions now have two factor authentication and they monitor all transactions (regardless of if they are online, in person or by telephone) to spot odd patterns..

Some humble facts for you to know :

- HSBC has more no: of current accounts than any other high street banks
- Multiply all those active accounts with your probability figure (which you forgot:-)
- In 2007, a survey found 3 of 10 wallets contain personal internet banking information written out in someway or the other.
- Again use probability to find out how many HSBC account would fall in that
- Last but not least, all banks throw you out if you fail authentication 3 times.

Former_MSE_Alana

Hi all,

We have received this response from Trusteer:

"Dear forum members,

An increase in boot-up time is commonly caused by low memory availability. We would first like to ask users who experience this to check the amount of physical memory available.

This can be done by pressing the Windows key and the “R” key, then typing msinfo32 into the ‘run’ command.

If this is not the reason, or if you would like to consult us regarding the amount of physical memory you have available, please contact our support team at support@trusteer.com and we would be very eager to study the problem and understand if there is any kind of conflict with Rapport on your computer.

Sincerely,
Trusteer Technical Support Team"

masonic

david78 wrote: »

Actually I think its perfectly ok to use encryption software. After all this is what HTTPS does.

...except that the consequences of a failure in the https protocol would be borne by the bank, whereas the consequences of a failure in your encryption software would be borne by you (if the bank was able to discern what you were doing). As long as people are aware that there is a shift in liability away from the bank when their login details are processed by third party software, then it is quite rational to use encryption software that has been researched and determined trustworthy.